Point of sale terminal having enhanced security

ABSTRACT

A data entry device including a housing formed of at least two portions, data entry circuitry located within the housing, at least one case-open switch assembly operative to sense when the housing is opened and tamper indication circuitry operative to receive an input from the at least one case-open switch assembly and to provide an output indication of possible tampering with the data entry circuitry located within the housing. The at least one case-open switch assembly includes an arrangement of electrical contacts arranged on a base surface and a resiliently deformable conductive element, which defines a short circuit between at least some of the arrangement of electrical contacts only when the housing is closed.

REFERENCE TO RELATED APPLICATIONS

Reference is made to the following patent and patent applications, ownedby assignee, the disclosures of which are hereby incorporated byreference, which are believed to relate to subject matter related to thesubject matter of the present application:

U.S. Pat. No. 6,853,093; U.S. Published Patent Applications No.2007/0152042 and 2009/0184850; and U.S. patent application Ser. No.12/666,054.

FIELD OF THE INVENTION

The present invention relates generally to secure keypad devices andmore particularly to data entry devices having anti-tamperfunctionality.

BACKGROUND OF THE INVENTION

The following U.S. Patent Publications are believed to represent thecurrent state of the art and are hereby incorporated by reference:

-   U.S. Published Patent Application Nos. 2008/0278353 and    2007/0102272;-   U.S. Pat. Nos. 7,270,275; 6,646,565; 6,917,299; 6,936,777;    6,563,488; 5,559,311 and 4,486,637;-   European Patent Nos.: 1421549 and 1676182;-   Great Britain Patent Application No. GB8608277;-   Japanese Patent Application No. JP2003100169;-   French Patent Application No. 2911000; and-   Published PCT Patent Application No. WO2009/091394.

SUMMARY OF THE INVENTION

The present invention seeks to provide improved secure keypad devices.

There is thus provided in accordance with a preferred embodiment of thepresent invention a data entry device including a housing formed of atleast two portions, data entry circuitry located within the housing, atleast one case-open switch assembly operative to sense when the housingis opened and tamper indication circuitry operative to receive an inputfrom the at least one case-open switch assembly and to provide an outputindication of possible tampering with the data entry circuitry locatedwithin the housing. The at least one case-open switch assembly includesan arrangement of electrical contacts arranged on a base surface and aresiliently deformable conductive element, which defines a short circuitbetween at least some of the arrangement of electrical contacts onlywhen the housing is closed. The resiliently deformable conductiveelement includes an at least partially continuous circumferential flangefixed at least two locations thereat in electrical contact with at leastone of the electrical contacts at least two corresponding locations onthe base surface, a circumferential portion having a cross sectionalconfiguration which includes two mutually spaced arches, a centralportion disposed in a case-open operative orientation at a firstdistance from the base surface and a contact portion located interiorlyof the central portion and disposed in a case-open operative orientationat a second distance from the base surface, less than the firstdistance.

Preferably, the arches of the circumferential portion are at least at adistance from the base surface which exceeds the first distance.

In accordance with a preferred embodiment of the present invention thecentral portion is generally flat. Additionally or alternatively, thecontact portion is generally flat.

Preferably, the resiliently deformable conductive element defines ashort circuit between some, but not all, of the arrangement ofelectrical contacts when the housing is closed.

In accordance with a preferred embodiment of the present invention thearrangement of electrical contacts arranged on a base surface includesan outer ring, at least one intermediate ring and a central contact.Additionally, the at least one intermediate ring includes an outerintermediate ring and an inner intermediate ring.

Preferably, the outer intermediate ring is a continuous ring.Alternatively, the outer intermediate ring is divided into pluralelements.

In accordance with a preferred embodiment of the present invention thecentral portion of the resiliently deformable conductive elementcontacts the central contact when the housing is closed. Additionally,when the central portion of the resiliently deformable conductiveelement contacts the central contact, the outer intermediate ring isthereby electrically connected with the central contact.

Preferably, when the central portion of the resiliently deformableconductive element contacts the central contact, no part of theresiliently deformable conductive element is in electrical contact witheither the outer ring or the inner intermediate ring. Additionally, theouter ring and the inner intermediate ring are both coupled to a voltageVDD via a first resistor, the outer intermediate ring is grounded, andthe central contact is coupled to voltage VDD via a second resistor.

In accordance with a preferred embodiment of the present invention theinput to the tamper indication circuitry includes an indication ofwhether the deformable conductive element is simultaneously in contactwith both the central contact and the outer intermediate ring.Additionally or alternatively, the input to the tamper indicationcircuitry includes an indication of whether the inner intermediate ringis short circuited with at least one of the central contact and theouter intermediate ring. Alternatively or additionally, the input to thetamper indication circuitry includes an indication of whether the outerring is short circuited with the outer intermediate ring.

Preferably, a separation between the contact portion of the resilientlydeformable conductive element and the central contact is less than 0.1mm. Additionally or alternatively, a force required to establishelectrical contact between the contact portion of the resilientlydeformable conductive element and the central contact is approximately200 grams.

Preferably, the data entry device also includes an anti-tampering grid,formed of a multiplicity of interconnected anti-tampering electricalconductors in a circuit board associated with the tamper indicationcircuitry.

There is also provided in accordance with a preferred embodiment of thepresent invention a case-open switch assembly for a data entry deviceincluding a housing, the case-open switch assembly including anarrangement of electrical contacts arranged on a base surface and aresiliently deformable conductive element, which defines a short circuitbetween at least some of the arrangement of electrical contacts onlywhen the housing is closed. The resiliently deformable conductiveelement includes an at least partially continuous circumferential flangefixed at least two locations thereat in electrical contact with at leastone of the electrical contacts at least two corresponding locations onthe base surface, a circumferential portion having a cross sectionalconfiguration which includes two mutually spaced arches, a centralportion disposed in a case-open operative orientation at a firstdistance from the base surface and a contact portion located interiorlyof the central portion and disposed in a case-open operative orientationat a second distance from the base surface, less than the firstdistance.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood and appreciated more fully fromthe following detailed description, taken in conjunction with thedrawings in which:

FIGS. 1A and 1B are simplified exploded view illustrations, taken inrespective opposite directions, of part of a secure keypad deviceconstructed and operative in accordance with a preferred embodiment ofthe present invention in a case open operative orientation;

FIG. 1C is a simplified illustration of the secure keypad device ofFIGS. 1A and 1B in a case closed operative orientation;

FIG. 2 is a simplified planar illustration of the interior of a portionof the housing of the secure keypad device illustrated in FIGS. 1A-1C;

FIGS. 3A & 3B are simplified planar illustrations, taken in respectiveopposite directions, of a keypad portion of the secure keypad deviceillustrated in FIGS. 1A-2;

FIGS. 4A & 4B are simplified planar illustrations, taken in respectiveopposite directions, of a case open switch forming part of the securekeypad device illustrated in FIGS. 1A-3B;

FIGS. 5A & 5B are simplified pictorial illustrations, taken inrespective opposite directions, of the case open switch of FIGS. 4A &4B;

FIGS. 6A & 6B are simplified sectional illustrations of the case openswitch of FIGS. 4A-5B in respective case closed and case open operativeorientations; and

FIG. 7 is a simplified sectional illustration, taken along lines VII-VIIin FIG. 1C, of a portion of the secure keypad device, including the caseopen switch in a case closed operative orientation.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention seeks to provide an improved security system forelectronic devices, especially tamper-protected point of sale terminalsand other devices containing sensitive information, such as personaldata and encryption keys. For the purposes of the present descriptionand claims, the term “point of sale terminals” includes, inter alia, PINpads, electronic cash registers, ATMs, card payment terminals and thelike.

The point of sale terminals preferably include a housing, an anti-tamperprotected enclosure located within the housing and adapted to containthe sensitive information, anti-tamper protection circuitry locatedwithin the anti-tamper protected enclosure and case open switcheselectrically coupled to the anti-tamper protection circuitry forprotecting against unauthorized access to the interior of theanti-tamper protected enclosure.

Preferably, a confidential data storage element is located within theanti-tamper protected enclosure. Additionally or alternatively a dataentry element is also mounted in the housing.

Preferably, the anti-tamper protection circuitry is operative, in theevent of unauthorized opening on the housing to perform at least one ofthe following actions: generate an alarm indication, disable the deviceand erase the sensitive data.

Reference is now made to FIGS. 1A-5B, which illustrate a secure keypaddevice constructed and operative in accordance with a preferredembodiment of the present invention.

As seen in FIGS. 1A-5B, there is provided a secure keypad device 100including a housing element 102 which, together with a back panel 103,defines a keypad device housing. Housing element 102 includes, on a topsurface 104 thereof, a display window 106, through which a display (notshown) may be viewed, and an array 108 of key apertures 110.

It is a particular feature of an embodiment of the present inventionthat the housing element 102 includes on an underside surface 112thereof a plurality of spaced case open switch actuation protrusions114.

A resilient key mat 116, preferably formed of a resilient plastic orrubber, defines a plurality of depressible keys 118, preferablyintegrally formed with the remainder of key mat 116, which partiallyextend through key apertures 110. Underlying each of keys 118 is a keyactuation protrusion 120. Disposed at multiple locations on key mat arecase open switch actuation responsive displaceable portions 122, eachincluding a top facing protrusion 124, which is engaged by acorresponding case open switch actuation protrusion 114, and a bottomfacing protrusion 126.

It is a particular feature of a preferred embodiment of the presentinvention that when the housing is closed, case open switch actuationprotrusions 114 engage corresponding protrusions 124 and causedisplacement of corresponding case open switch actuation responsivedisplaceable portions 122 in a direction indicated by an arrow 128.Opening of the housing retracts case open switch actuation protrusions114 from corresponding protrusions 124 and enables displacement ofcorresponding case open switch actuation responsive displaceableportions 122 in a direction opposite to that indicated by arrow 128 as aresult of resilience of the case open switch actuation responsivedisplaceable portions 122 and key mat 116.

Underlying key mat 116 is a light guide element 130 which includes anarray 132 of apertures 134 which accommodate key actuation protrusions120. It is a particular feature of a preferred embodiment of the presentinvention that light guide element 130 also includes a plurality ofapertures 136, which accommodate bottom facing protrusions 126 of caseopen switch actuation responsive displaceable portions 122.

Underlying light guide element 130 and preferably adhered to anunderside surface thereof is a key contact layer 140. Key contact layer140 preferably includes an array 142 of raised resilient conductivedomes 144, such as those commercially available from Snaptron, Inc. ofWindsor, Colo., USA. It is a particular feature of an embodiment of thepresent invention that key contact layer 140 also includes a pluralityof apertures 146 which accommodate bottom facing protrusions 126 of caseopen switch actuation responsive displaceable portions 122, particularlywhen displaced in the direction of arrow 128, when the housing isclosed.

An anti-tampering grid 150, formed of a multiplicity of interconnectedanti-tampering electrical conductors in a flexible printed circuit board(PCB) is optionally provided between the light guide element 130 and thekey contact layer 140.

Underlying key contact layer 140 is an electrical circuit board 160,which functions, inter alia, as a key contact pad board, defining aplurality of pairs of adjacent electrical contact pads 162, each pairunderlying a corresponding dome 144, preferably made of carbon, metal orcombination of carbon/metal. The arrangement of key contact layer 140and of electrical circuit board 160 is such that depression of a key 118by the finger of a user causes dome 144 to establish electrical contactwith and between a corresponding pair of electrical contact pads 162lying thereunder and in registration therewith. When key 118 is notdepressed, no electrical contact exists between dome 144 and a pair ofcorresponding electrical contact pads 162 or between the adjacent padsof the pair.

Electrical circuit board 160 preferably includes an anti-tampering grid164 formed of a multiplicity of interconnected anti-tampering electricalconductors. The anti-tampering grids 150 and 164 are coupled toanti-tampering detection circuitry 166.

In accordance with a preferred embodiment of the present invention,case-open switches, which sense physical tampering and opening of thehousing, are provided, each preferably including the followingstructure:

-   -   an arrangement of electrical contacts 170 arranged on a base        surface, preferably electrical circuit board 160, and    -   a resiliently deformable conductive element 172, which defines a        short circuit between at least some of said arrangement of        electrical contacts 170 only when said housing is closed.

The arrangement of electrical contacts 170 preferably includes an outerring 174, an optionally quartered outer intermediate ring 176, an innerintermediate ring 178, and a central contact 180. It is appreciated thatouter intermediate ring 176 may be a continuous ring or may be dividedinto any number of elements.

It is a particular feature of an embodiment of the present inventionthat the resiliently deformable conductive element 172 includes an atleast partially continuous circumferential flange 184 fixed at least twolocations 186 thereat in electrical contact with at least two quadrantsof outer intermediate ring 176, a circumferential portion 188 having across sectional configuration which includes two mutually spaced arches190 (as seen in FIGS. 6A and 6B), a central portion 192 disposed in acase-open operative orientation at a first distance from the basesurface; and a contact portion 194 located interiorly of the centralportion and disposed in a case-open operative orientation at a seconddistance from the base surface, less than the first distance.

When the housing is opened by at least approximately 0.75 mm, one ormore of the plurality of spaced case open switch actuation protrusions114 is retracted from one or more corresponding top facing protrusions124 of one or more case open switch actuation responsive displaceableportions 122, whose resilience causes corresponding retraction of one ormore bottom facing protrusions 126, whose retraction reduces thepressure on one or more central portion 192 of one or more resilientlydeformable conductive elements 172. This results in at least one contactportion 194 becoming separated from a corresponding contact 180.

Reference is now made to FIGS. 6A and 6B, which are simplified sectionalillustrations of the case open switch of FIGS. 4A-5B in respective caseclosed and case open operative orientations, and to FIG. 7, which is adetailed sectional illustration of secure keypad device, including thecase open switch, in a case closed operative orientation. Forsimplicity, FIGS. 6A-7 do not include the optional anti-tampering grid150 (FIGS. 1A & 1B).

As seen generally in FIG. 7 and with greater specificity in FIG. 6A,when the housing is in a case closed operative orientation, case openswitch actuation protrusions 114 (FIGS. 1B & 2) engage correspondingprotrusions 124 (FIG. 1A) and cause displacement of corresponding caseopen switch actuation responsive displaceable portions 122 (FIGS. 1A &1B) in the direction indicated by arrow 128. As a result, bottom facingprotrusions 126 of case open switch actuation responsive displaceableportions 122 are in pressure contact with central portion 192 ofresiliently deformable conductive element 172.

This pressure contact displaces the central portion 192 downwardly inthe direction of arrow 128 such that contact portion 194 of resilientlydeformable conductive element 172 is in touching and electrical contactwith central contact 180, thus electrically connecting outerintermediate ring 176 with central contact 180. It is noted that due tothe particular configuration and construction of resiliently deformableconductive element 172, no part of resiliently deformable conductiveelement 172 is in electrical contact with either of rings 174 and 178.

As seen in FIG. 6A, outer ring 174 and inner intermediate ring 178 areboth coupled to a voltage VDD via a resistor R₁, outer intermediate ring176 is grounded and central contact 180 is coupled to voltage VDD via aresistor R₂. A voltage V₂ may be measured to indicate whether thehousing is open or closed, i.e. whether or not deformable conductiveelement 172 is simultaneously in contact with both central contact 180and outer intermediate ring 176. When deformable conductive element 172is simultaneously in contact with both central contact 180 and outerintermediate ring 176, V₂ is zero. Otherwise V₂ equals VDD.

An attempt to tamper with the case open switch by short circuitingcentral contact 180 and outer intermediate ring 176 will also shortcircuit inner intermediate ring 178 with contact 180 and/or outerintermediate ring 176 or short circuit outer ring 174 with outerintermediate ring 176 and may be detected by measuring a voltage V₁.During normal operation, where no tampering is detected, V₁ is equal toVDD. An attempt to tamper with the case open switch causes voltage V₁ tobe zero.

Anti-tampering circuitry 166 (FIG. 1B) preferably is operative tomeasure voltages V₁ and V₂ and to provide tampering alarms and responsesaccordingly. Optional anti tampering grids 150 and 164 may also becoupled to anti tampering circuitry 166.

Attempts to tamper with the case open switch, as by applying conductiveadhesive under resiliently deformable conductive element 172 orinsertion of a conductive element under resiliently deformableconductive element 172 may be made in order to establish an electricalconnection between ring 176 and contact 180 even when the housing isopen.

Such attempts to tamper can be expected to result in establishment of anelectrical connection between the resiliently deformable conductiveelement 172, rings 176 and central contact 180 on the one hand and atleast one of rings 174 and 178, thus producing an alarm.

It is a particular feature of the present invention that the requireddisplacement of resiliently deformable conductive element 172 alongarrow 128 into a case closed operative orientation is relatively small.This may be seen by reference to FIG. 6B, which indicates that theseparation between the contact portion 194 of resiliently deformableconductive element 172 and contact 180 in the direction indicated alongarrow 128 is preferably 0.06 mm. It is also seen in FIG. 6B that thedistance between the top of the circumferential portion 188 to thebottom of flange 184 is preferably 0.3 mm, the diameter of the centralportion 192 is preferably 3.7 mm and the diameter of the contact portion194 is preferably 0.50 mm. The overall diameter of the resilientlydeformable conductive element 172 is preferably 5.50 mm and the radialextent of flange 184 is 0.33 mm.

Additionally, circumferential flange 184 preferably is attached bysoldering thereof, at discrete locations 186 therealong, to outerintermediate ring 176 and the provision of circumferential portion 188having a cross sectional configuration which includes two mutuallyspaced arches 190 reduces the amount of force required to displacecontact portion 194 into electrical contact with contact 180. Preferablythe required force is about 200 grams.

Furthermore, the angular displacement of resiliently deformableconductive element 172 between case open and case closed operativeorientations is small, resulting in high reliability of reversion to acase open orientation when the housing is opened, even after having beenclosed for a long time.

The above features make attempts to tamper difficult.

It is appreciated by persons skilled in the art that the presentinvention is not limited by what has been particularly shown anddescribed hereinabove. Rather the scope of the present inventionincludes both combinations and subcombinations of various featuresdescribed hereinabove as well as variations and modifications theretowhich would occur to a person of skill in the art upon reading the abovedescription and which are not in the prior art.

1. A data entry device comprising: a housing formed of at least twoportions; data entry circuitry located within said housing; at least onecase-open switch assembly operative to sense when said housing isopened; and tamper indication circuitry operative to receive an inputfrom said at least one case-open switch assembly and to provide anoutput indication of possible tampering with said data entry circuitrylocated within said housing, said at least one case-open switch assemblyincluding: an arrangement of electrical contacts arranged on a basesurface; and a resiliently deformable conductive element, which definesa short circuit between at least some of said arrangement of electricalcontacts only when said housing is closed, said resiliently deformableconductive element comprising: an at least partially continuouscircumferential flange fixed at least two locations thereat inelectrical contact with at least one of said electrical contacts atleast two corresponding locations on said base surface; acircumferential portion having a cross sectional configuration whichincludes two mutually spaced arches; a central portion disposed in acase-open operative orientation at a first distance from said basesurface; and a contact portion located interiorly of said centralportion and disposed in a case-open operative orientation at a seconddistance from said base surface, less than said first distance.
 2. Adata entry device according to claim 1 and wherein said arches of saidcircumferential portion are at least at a distance from said basesurface which exceeds said first distance.
 3. A data entry deviceaccording to claim 1 and wherein said central portion is generally flat.4. A data entry device according to claim 1 and wherein said contactportion is generally flat.
 5. A data entry device according to claim 1and wherein said resiliently deformable conductive element defines ashort circuit between some, but not all, of said arrangement ofelectrical contacts when said housing is closed.
 6. A data entry deviceaccording to claim 1 and wherein said arrangement of electrical contactsarranged on a base surface comprises an outer ring, at least oneintermediate ring and a central contact.
 7. A data entry deviceaccording to claim 6 and wherein said at least one intermediate ringincludes an outer intermediate ring and an inner intermediate ring.
 8. Adata entry device according to claim 7 and wherein said outerintermediate ring is a continuous ring.
 9. A data entry device accordingto claim 7 and wherein said outer intermediate ring is divided intoplural elements.
 10. A data entry device according to claim 7 andwherein said central portion of said resiliently deformable conductiveelement contacts said central contact when said housing is closed.
 11. Adata entry device according to claim 10 and wherein when said centralportion of said resiliently deformable conductive element contacts saidcentral contact, said outer intermediate ring is thereby electricallyconnected with said central contact.
 12. A data entry device accordingto claim 11 and wherein when said central portion of said resilientlydeformable conductive element contacts said central contact, no part ofsaid resiliently deformable conductive element is in electrical contactwith either said outer ring or said inner intermediate ring.
 13. A dataentry device according to claim 12 and wherein said outer ring and saidinner intermediate ring are both coupled to a voltage VDD via a firstresistor, said outer intermediate ring is grounded, and said centralcontact is coupled to voltage VDD via a second resistor.
 14. A dataentry device according to claim 12 and wherein said input to said tamperindication circuitry includes an indication of whether said deformableconductive element is simultaneously in contact with both said centralcontact and said outer intermediate ring.
 15. A data entry deviceaccording to claim 12 and wherein said input to said tamper indicationcircuitry includes an indication of whether said inner intermediate ringis short circuited with at least one of said central contact and saidouter intermediate ring.
 16. A data entry device according to claim 12and wherein said input to said tamper indication circuitry includes anindication of whether said outer ring is short circuited with said outerintermediate ring.
 17. A data entry device according to claim 1 andwherein a separation between said contact portion of said resilientlydeformable conductive element and said central contact is less than 0.1mm. 18, A data entry device according to claim 1 and wherein a forcerequired to establish electrical contact between said contact portion ofsaid resiliently deformable conductive element and said central contactis approximately 200 grams.
 19. A data entry device according to claim 1and also comprising an anti-tampering grid, formed of a multiplicity ofinterconnected anti-tampering electrical conductors in a circuit boardassociated with said tamper indication circuitry.
 20. A case-open switchassembly for a data entry device including a housing, the case-openswitch assembly comprising: an arrangement of electrical contactsarranged on a base surface; and a resiliently deformable conductiveelement, which defines a short circuit between at least some of saidarrangement of electrical contacts only when said housing is closed,said resiliently deformable conductive element comprising: an at leastpartially continuous circumferential flange fixed at least two locationsthereat in electrical contact with at least one of said electricalcontacts at at least two corresponding locations on said base surface; acircumferential portion having a cross sectional configuration whichincludes two mutually spaced arches; a central portion disposed in acase-open operative orientation at a first distance from said basesurface; and a contact portion located interiorly of said centralportion and disposed in a case-open operative orientation at a seconddistance from said base surface, less than said first distance.